Using Amazon SNS for System-to-System Messaging with an Amazon SQS Queue as a Subscriber

Amazon SNS works closely with Amazon Simple Queue Service (Amazon SQS). Both services
provide different benefits for developers. Amazon SNS allows applications to send
time-critical
messages to multiple subscribers through a “push” mechanism, eliminating the need
to
periodically check or “poll” for updates. Amazon SQS is a message queue service used
by
distributed applications to exchange messages through a polling model, and can be
used
to decouple sending and receiving components—without requiring each component
to be concurrently available. By using Amazon SNS and Amazon SQS together, messages
can be
delivered to applications that require immediate notification of an event, and also
persisted in an Amazon SQS queue for other applications to process at a later time.

When you subscribe an Amazon SQS queue to an Amazon SNS topic, you can publish a message
to the topic and Amazon SNS sends an Amazon SQS message to the
subscribed queue. The Amazon SQS message contains the subject and message that were
published to the
topic along with metadata about the message in a JSON document. The Amazon SQS message
will look
similar to the following JSON document.

Instead of following the steps listed below, you can now subscribe an Amazon SQS queue
to an Amazon SNS topic using the Amazon SQS console,
which simplifies the process. For more information, see Subscribe Queue to Amazon SNS Topic

To enable an Amazon SNS topic to send messages to an Amazon SQS queue, follow these
steps:

Step 1: Get the ARN of the Queue and Topic

When subscribing a queue to your topic, you'll need a copy of the ARN for the queue.
Similarly, when giving permission for the topic to send messages to the queue, you'll
need a
copy of the ARN for the topic.

To get the queue ARN, you can use the Amazon SQS console or the GetQueueAttributes API action.

For an Amazon SNS topic to be able to send messages to a queue, you must set a policy
on the
queue that allows the Amazon SNS topic to perform the sqs:SendMessage action.

Before you subscribe a queue to a topic, you need a topic and a queue. If you haven't
already created a topic or queue, create them now. For more information, see Creating a Topic, and see Creating a Queue in the
Amazon Simple Queue Service Developer Guide.

To set a policy on a queue, you can use the Amazon SQS console or the SetQueueAttributes API action. Before you start, make sure you have the ARN for the topic
that you want to allow to send messages to the queue.

Select the box for the queue whose policy you want to set, choose the Permissions tab, and then choose Add a Permission.

In the Add a Permission dialog box, select
Allow for Effect, select Everybody
(*) for Principal, and then select
SendMessage from the Actions drop-down.

Add a condition that allows the action for the topic. Choose Add Conditions
(optional), select ArnEquals for
Condition, select aws:SourceArn for
Key, and paste in the topic ARN for Value.
Choose Add Condition. The new condition should appear at the bottom of
the box (you may have to scroll down to see this).

Choose Add Permission.

If you wanted to create the policy document yourself, you would create a policy like
the
following. The policy allows MyTopic to send messages to MyQueue.

Step 3: Subscribe the Queue to the Amazon SNS Topic

To send messages to a queue through a topic, you must subscribe the queue to the Amazon
SNS
topic. You specify the queue by its ARN. To subscribe to a topic, you can use the
Amazon SNS
console, the sns-subscribe command, or the Subscribe
API action. Before you start, make sure you have the ARN for the queue that you want
to
subscribe.

Choose Create Subscription, select
Amazon SQS for Protocol, paste in the ARN for the queue that
you want the topic to send messages to for Endpoint, and choose
Subscribe.

For the Subscription request received! message, choose
Close.

When the subscription is confirmed, your new subscription's Subscription
ID displays its subscription ID. If the owner of the queue creates the
subscription, the subscription is automatically confirmed and the subscription should
be
active almost immediately.

Usually, you'll be subscribing your own queue to your own topic in your own account.
However, you can also subscribe a queue from a different account to your topic. If
the
user who creates the subscription is not the owner of the queue (for example, if a
user
from account A subscribes a queue from account B to a topic in account A), the
subscription must be confirmed. For more information about subscribing a queue from
a
different account and confirming the subscription, see Sending Amazon SNS Messages to an Amazon SQS Queue in a
Different Aaccount.

Add a policy to an IAM user or
group. The simplest way to give users permissions to topics or queues is to
create a group and add the appropriate policy to the group and then add users to that
group. It's much easier to add and remove users from a group than to keep track of
which
policies you set on individual users.

Add a policy to topic or
queue. If you want to give permissions to a topic or queue to another AWS
account, the only way you can do that is by adding a policy that has as its principal
the
AWS account you want to give permissions to.

You should use the first method for most cases (apply policies to groups and manage
permissions for users by adding or removing the appropriate users to the groups).
If you need
to give permissions to a user in another account, you should use the second method.

Adding a Policy to an IAM User or
Group

If you added the following policy to an IAM user or group, you would give that user
or
members of that group permission to perform the sns:Publish action on the topic
MyTopic.

If you added the following policy to an IAM user or group, you would give that user
or
members of that group permission to perform the sqs:ReceiveMessage and
sqs:DeleteMessage actions on the queues MyQueue1 and MyQueue2.

Adding a Policy to a Topic or
Queue

The following example policies show how to give another account permissions to a topic
and queue.

Note

When you give another AWS account access to a resource in your account, you are also
giving IAM users who have admin-level access (wildcard access) permissions to that
resource. All other IAM users in the other account are automatically denied access
to your
resource. If you want to give specific IAM users in that AWS account access to your
resource, the account or an IAM user with admin-level access must delegate permissions
for
the resource to those IAM users. For more information about cross-account delegation,
see
Enabling Cross-Account Access in the Using IAM
Guide.

If you added the following policy to a topic MyTopic in account 123456789012, you
would
give account 111122223333 permission to perform the sns:Publish action on that
topic.

If you added the following policy to a queue MyQueue in account 123456789012, you
would
give account 111122223333 permission to perform the sqs:ReceiveMessage and
sqs:DeleteMessage actions on that queue.

Step 5: Test the Topic's Queue Subscriptions

You can test a topic's queue subscriptions by publishing to the topic and viewing
the
message that the topic sends to the queue.

To publish to a topic using the Amazon SNS console

Using the credentials of the AWS account or IAM user with permission to publish to
the
topic, sign in to the AWS Management Console and open the Amazon SNS console at https://console.aws.amazon.com/sns/.

In the navigation pane, select the topic and choose
Publish to Topic.

In the Subject box, enter a subject (for example, Testing publish
to queue) in the Message box, enter some text (for example, Hello
world!), and choose Publish Message. The following message appears:
Your message has been successfully published.

To view the message from the topic using the Amazon SQS console

Using the credentials of the AWS account or IAM user with permission to view messages
in the queue, sign in to the AWS Management Console and open the Amazon SQS console
at
https://console.aws.amazon.com/sqs/.

Check the box for the queue that is subscribed to the topic.

From the Queue Action drop-down, select View/Delete
Messages and choose Start Polling for Messages. A message
with a type of Notification appears.

In the Body column, choose More Details. The
Message Details box contains a JSON document that contains the
subject and message that you published to the topic. The message looks similar to
the
following JSON document.